[ previous ] [ next ] [ threads ]
 
 From:  Lee Saferite <lee dot saferite at speedysigns dot com>
 To:  Chris Buechler <cbuechler at gmail dot com>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] IPSec Dropouts
 Date:  Fri, 30 Sep 2005 08:25:42 -0400 
Here is the relevent config section from the central server.

    <ipsec>
        <mobilekey>
            <ident>private.network</ident>
            <pre-shared-key>xxxxx</pre-shared-key>
        </mobilekey>
        <mobileclients>
            <enable/>
            <p1>
                <mode>aggressive</mode>
                <myident>
                    <fqdn>private.network</fqdn>
                </myident>
                <encryption-algorithm>blowfish</encryption-algorithm>
                <hash-algorithm>sha1</hash-algorithm>
                <dhgroup>2</dhgroup>
                <lifetime>28800</lifetime>
                <private-key/>
                <cert/>
                <authentication_method>pre_shared_key</authentication_method>
            </p1>
            <p2>
                <protocol>esp</protocol>
                <encryption-algorithm-option>blowfish</encryption-algorithm-option>
                <hash-algorithm-option>hmac_sha1</hash-algorithm-option>
                <pfsgroup>2</pfsgroup>
                <lifetime>86400</lifetime>
            </p2>
        </mobileclients>
        <enable/>
    </ipsec>

And from the remote location:  (This is the side with the problems)

    <ipsec>
        <enable/>
        <tunnel>
            <interface>wan</interface>
            <local-subnet>
                <network>lan</network>
            </local-subnet>
            <remote-subnet>172.30.200.0/24</remote-subnet>
            <remote-gateway>x.x.x.x</remote-gateway>
            <p1>
                <mode>aggressive</mode>
                <myident>
                    <fqdn>private.network</fqdn>
                </myident>
                <encryption-algorithm>blowfish</encryption-algorithm>
                <hash-algorithm>sha1</hash-algorithm>
                <dhgroup>2</dhgroup>
                <lifetime>28800</lifetime>
                <pre-shared-key>xxxxx</pre-shared-key>
                <private-key/>
                <cert/>
                <peercert/>
                <authentication_method>pre_shared_key</authentication_method>
            </p1>
            <p2>
                <protocol>esp</protocol>
                <encryption-algorithm-option>blowfish</encryption-algorithm-option>
                <hash-algorithm-option>hmac_sha1</hash-algorithm-option>
                <pfsgroup>2</pfsgroup>
                <lifetime>86400</lifetime>
            </p2>
            <descr>Office VPN</descr>
        </tunnel>
    </ipsec>



Chris Buechler wrote:

>On 9/29/05, Matt Groener <MGroener at line6 dot com> wrote:
>  
>
>>We have the same issue as well. Does anyone have an ipsec config they can share that is solid?  I
wonder if our timeout values are causing this.
>>
>>    
>>
>
>
>my experience is m0n0wall's IPsec components don't stand up well under
>poor network conditions (frequent drops, etc.).
>
>can't really suggest much of anything, as my connections have never
>had these kind of issues since they tend to be solid (or at least more
>solid than described).  Out of curiousity, what are your timeouts?
>
>Just be glad you aren't running a Cisco router site to site VPN.  I
>have the misfortune of running a network of those at work.  If a T1
>hiccups for just a fraction of a second (making the serial int go down
>and up), the router drops its SA's and you have to manually clear the
>SA on the other end to get things to reconnect.  I've put my
>m0n0wall's through much worse and didn't have to touch them.
>
>-Chris
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
>For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>
>
>
>  
>